US20100192193A1 - Security restriction techniques for browser-based applications - Google Patents
Security restriction techniques for browser-based applications Download PDFInfo
- Publication number
- US20100192193A1 US20100192193A1 US12/358,268 US35826809A US2010192193A1 US 20100192193 A1 US20100192193 A1 US 20100192193A1 US 35826809 A US35826809 A US 35826809A US 2010192193 A1 US2010192193 A1 US 2010192193A1
- Authority
- US
- United States
- Prior art keywords
- external application
- application
- client browser
- data
- computer
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Abandoned
Links
- 238000000034 method Methods 0.000 title claims abstract description 29
- 238000005516 engineering process Methods 0.000 abstract description 7
- 238000010200 validation analysis Methods 0.000 abstract description 3
- 238000010586 diagram Methods 0.000 description 4
- 230000003287 optical effect Effects 0.000 description 2
- 238000004891 communication Methods 0.000 description 1
- 230000006870 function Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
- G06F21/6218—Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
Definitions
- an external component hosted by a third party that needs to be given access to the user's account on another system in order to provide its desired functionality.
- An example of such an external component can be a third party chart control that displays data from a content management application in interesting ways.
- the application can elevate its permissions based upon the user interacting with it. This might occur, for example, when the external application has read-only permissions but is used by a user that has write permissions. In this latter scenario, the external application could use the user's permission to write data, possibly without the user even knowing about it.
- any time an external application is given authority to take an action based upon either the external application's security permission or the user's security permission level there is an opportunity for an unauthorized elevation of permissions to occur.
- a method for restricting operations that can be performed by an external application that is being run in a client browser is described.
- a request is received from a client browser to login to an original application.
- a session token is returned to the client browser after validating that access to the original application can be granted to the client browser.
- a request is received from an external application to login to the original application.
- Validation is performed to confirm that access to the original application can be granted to the external application.
- a request for data is received from the external application, with the request for data containing the session token that the external application obtained from the client browser.
- the data requested by the external application is retrieved.
- an intersection is performed on a permission set of a user of the client browser and of the external application to determine a new permission set to use for retrieving the data requested by the external application.
- the data is returned to the external application.
- FIG. 1 is a diagrammatic view of a system for restricting permission levels of external applications of one implementation.
- FIG. 2 is a process flow diagram for one implementation illustrating the stages involved in restricting the permission level of an external application being accessed from a client browser.
- FIG. 3 is a process flow diagram for one implementation illustrating the stages involved in performing an intersection on the permission set of the external application and on a user of the client browser to determine a new permission level to use.
- FIG. 4 is a diagrammatic view of three exemplary permission intersections between a user's account permissions and an external application's permissions.
- FIG. 5 is a diagrammatic view of a computer system of one implementation.
- the technologies and techniques herein may be described in the general context as an application that restricts the permission level that external applications can use when running in a client browser, but the technologies and techniques also serve other purposes in addition to these.
- one or more of the techniques described herein can be implemented as features within any other type of program or service that allows external applications to access data on behalf of a user.
- a user account for an original application is assigned to an external application (or to the server hosting the external application, etc.)
- Original application as used herein is meant to include any type of application that has functionality that needs to be accessed by an external application for use in a client browser.
- external application as used herein is meant to include an application that resides on a separate process boundary or server from the original application, such as on a third party server.
- client browser as used herein is meant to include a web browser that resides on a device being operated by a user.
- the user account for the original application that is assigned to the external application is marked with a special indicator so that the external application will only be granted permissions to the original application if the user is also separately logged in to the original application.
- a session token is returned back to the client browser.
- the term “session token” as used herein is meant to include an identifier assigned to the user's current session in the client browser. That session token is provided to the external application by the client browser. That way, when the external application makes requests for data from the original application, the original application will know what user session the application is associated with.
- the system also performs an intersection of permissions between the user's permission level and the external application's permission level to determine a new permission set to use for any operations requested by the external application.
- the term “performing an intersection” or “performs an intersection” as used herein is meant to include the process of doing an AND operation on the permissions between the two accounts to determine a new permission set. In an “AND” operation, only permissions that are contained in each set of permissions will be included in the new permission set.
- new permission set as used herein is meant to include the list of zero or more permissions that result after performing an intersection. Several examples of performing an intersection are shown in FIG. 4 .
- FIG. 1 is a diagrammatic view of one implementation of a system 100 for restricting permission levels of external applications.
- System 100 includes a client browser 102 , original application 104 , and an external application 106 .
- Original application 104 can be an application such as a content management application or any type of application that has data that is being requested by client browser 102 and/or the client component of external application 106 that is running within client browser 102 .
- External application 106 can be any type of application that resides on a separate application domain or server from original application 104 .
- external application 106 can be a component that is being displayed in client browser 102 that needs access to data contained in original application 104 in order to perform its intended functionality.
- an external application 106 can include a chart component that gets displayed in client browser 102 with data from original application 104 organized in a particular type of chart.
- External application 106 can be of virtually any type of component that is used within client browser 102 , but that needs access to data from original application 104 in order to perform at least part of its desired function.
- a user account for the original application 104 is assigned to the external application 106 .
- a separate user account for the external application can be assigned to each server that runs the external application, just one for the external application overall, or the user account could be shared by all applications that the server running the external application hosts. Numerous other configurations of assigning one or more user accounts for use by the external application 106 could also be used.
- the user account for the original application 104 that is assigned to the external application 106 is marked with a special indicator so that the external application 106 will only be granted permissions to the original application 104 if the user is also separately logged in to the original application.
- a session token is returned back to the client browser.
- the session token can be in one of a variety of formats, and can include identifiers such as a time identifier, an application identifier, and/or a user identifier. Any data that uniquely identifier this particular session by the user could be included within the session token.
- That session token is then provided to the external application by the client browser.
- client browser 102 makes the request to external application 106 to perform some functionality that requires data from original application 104
- client browser 102 provides the session token to external application 106 . That way, when the external application 106 makes requests for data from the original application 104 , the original application 104 will know what user session the external application 106 is associated with and will only allow the requested operation to be performed if both the user and the external application are logged in and are using the same session token.
- the original application 104 before any operation can be performed by the external application 106 against the original application 104 , the original application 104 performs an intersection of permissions between the user's permission level from the client browser 102 and the external application's permission level 106 to determine a new permission set to use for any operations requested by the external application, such as those that retrieve data.
- FIGS. 2-4 the stages for implementing one or more implementations of system 100 are described in further detail.
- the processes of FIG. 2-4 are at least partially implemented in the operating logic of computing device 500 (of FIG. 5 ).
- FIG. 2 is a process flow diagram 200 that illustrates one implementation of the stages involved in restricting the permission level of an external application being accessed from a client browser.
- a request is received from a client browser to login to an original application (stage 202 ).
- the original application can include a content management or other application that is being accessed by the user from client browser.
- the original application then verifies that valid user credentials are specified.
- a session token is returned to the client browser after validating that access to the original application can be granted to the client browser (stage 204 ).
- a session token is only returned to the client browser when there is an external application running in the client browser that will need access to the original application.
- the session token is provided by the client browser to the external application so the external application can later retrieve the data it needs from the original application.
- the external application can be one of a variety of application types, but in general is a component or application that is providing some functionality to the client browser that needs to retrieve at least some of its information from the original application.
- the original application validates that access to the original application can be granted to the external application (stage 208 ), such as by confirming that a valid set of user credentials were supplied by the external application.
- the original application can look at a special indicator that is associated with the account of the external application to see that the external application can only be allowed to access functionality of the original application if the user is separately logged in to the original application.
- the external application then sends a request to the original application for the data that it needs to use in the client browser. That request includes the session token that was given to the external application by the client browser.
- the request for data is received by the original application from the external application (stage 210 ).
- the data requested by the external application is retrieved (stage 212 ).
- the original application will verify that the session token matches with the token previously supplied to the client browser before retrieving the requested data.
- the original application will perform an intersection on the permissions of the user and the external application to generate a new permission set, and will then use the new permission set to determine what security level to use for the data retrieval operation. This process is described in more detail in FIG. 3 . If the validation of the session token is successful, then the data is returned to the external application (stage 214 ). The external application can then further manipulate the data and then display or otherwise use the data in the client browser.
- FIG. 3 is a process flow diagram 300 that illustrates one implementation of the stages involved in performing an intersection on the permission set of the external application and on a user of the client browser to determine a new permission level to use. While the client browser and the external application are both logged in, a request is received from the external application to retrieve data (stage 302 ). An intersection is performed between the user's permission set associated with the client browser and the external application's permission set to determine the new permission set (stage 304 ). Some additional examples of how intersections work are shown in FIG. 4 to illustrate the concept more clearly.
- the security level associated with the new permission set is then used for the operation that retrieves the data (stage 306 ).
- This new permission set that results from the intersection will prevent an elevation of privilege by the user and the external application. In other words, neither the user nor the external application will be able to perform any operation that they are not entitled to perform.
- the requested data is then returned back to the external application (stage 308 ).
- the external application can then further manipulate the data and display or use it in some fashion with the client browser.
- FIG. 4 a diagrammatic view of three exemplary permission intersections 400 between a user's account permissions and an external application's permissions are illustrated.
- There example scenarios illustrate how an intersection of the user's permissions 402 with the external application's permissions 404 can result in the new permission set 406 that is then allowed to be used by the external application when accessing the original application.
- the user has fewer permissions than the external application, so the resulting permission set 414 will limit the external application's permissions.
- the resulting permission set 416 will limit the user's permissions for what can be performed by the external application.
- there is no intersection of permissions so the resulting permission set 418 is actually empty. In other words, the external application will not have authority to perform any operations against the original application.
- an exemplary computer system to use for implementing one or more parts of the system includes a computing device, such as computing device 500 .
- computing device 500 typically includes at least one processing unit 502 and memory 504 .
- memory 504 may be volatile (such as RAM), non-volatile (such as ROM, flash memory, etc.) or some combination of the two.
- This most basic configuration is illustrated in FIG. 5 by dashed line 506 .
- device 500 may also have additional features/functionality.
- device 500 may also include additional storage (removable and/or non-removable) including, but not limited to, magnetic or optical disks or tape.
- additional storage is illustrated in FIG. 5 by removable storage 508 and non-removable storage 510 .
- Computer storage media includes volatile and nonvolatile, removable and non-removable media implemented in any method or technology for storage of information such as computer readable instructions, data structures, program modules or other data.
- Memory 504 , removable storage 508 and non-removable storage 510 are all examples of computer storage media.
- Computer storage media includes, but is not limited to, RAM, ROM, EEPROM, flash memory or other memory technology, CD-ROM, digital versatile disks (DVD) or other optical storage, magnetic cassettes, magnetic tape, magnetic disk storage or other magnetic storage devices, or any other medium which can be used to store the desired information and which can accessed by device 500 . Any such computer storage media may be part of device 500 .
- Computing device 500 includes one or more communication connections 514 that allow computing device 500 to communicate with other computers/applications 515 .
- Device 500 may also have input device(s) 512 such as keyboard, mouse, pen, voice input device, touch input device, etc.
- Output device(s) 511 such as a display, speakers, printer, etc. may also be included. These devices are well known in the art and need not be discussed at length here.
Abstract
Description
- In today's world of technology, a large number of applications run over the Internet in a web browser. In such environments, there is often an external component hosted by a third party that needs to be given access to the user's account on another system in order to provide its desired functionality. An example of such an external component can be a third party chart control that displays data from a content management application in interesting ways.
- In order to allow external applications to provide rich functionality in such browser applications, it is sometimes necessary to allow these external applications to operate on behalf of users. However, it can often be difficult to determine what security permissions to let the application use. If the application itself has a permission level which is used to limit its actions, then the application is limited from doing anything above that permission level. But this doesn't limit a user's ability to elevate their permission level. For example, an application might have permission to write to a list, while a user might only have permission to read the list. In this situation, the user could use the application to write to the list, thus gaining a permission they are not supposed to have.
- On the other hand, if the external application is limited by the permissions of the user who is using it, the application can elevate its permissions based upon the user interacting with it. This might occur, for example, when the external application has read-only permissions but is used by a user that has write permissions. In this latter scenario, the external application could use the user's permission to write data, possibly without the user even knowing about it. Thus, any time an external application is given authority to take an action based upon either the external application's security permission or the user's security permission level, there is an opportunity for an unauthorized elevation of permissions to occur.
- Various technologies and techniques are disclosed for restricting security levels that can be used with browser-based applications. When a request is received from an external application to retrieve data to be used by the external application within a client browser, an intersection is performed on a permission set of a user of the client browser and of the external application to determine a new permission set to use for retrieving the data requested by the external application.
- A method for restricting operations that can be performed by an external application that is being run in a client browser is described. A request is received from a client browser to login to an original application. A session token is returned to the client browser after validating that access to the original application can be granted to the client browser. While the client browser is still logged in to the original application, a request is received from an external application to login to the original application. Validation is performed to confirm that access to the original application can be granted to the external application. A request for data is received from the external application, with the request for data containing the session token that the external application obtained from the client browser.
- While the client browser and external application are both still logged in to the original application, the data requested by the external application is retrieved. In one implementation, an intersection is performed on a permission set of a user of the client browser and of the external application to determine a new permission set to use for retrieving the data requested by the external application. The data is returned to the external application.
- This Summary was provided to introduce a selection of concepts in a simplified form that are further described below in the Detailed Description. This Summary is not intended to identify key features or essential features of the claimed subject matter, nor is it intended to be used as an aid in determining the scope of the claimed subject matter.
-
FIG. 1 is a diagrammatic view of a system for restricting permission levels of external applications of one implementation. -
FIG. 2 is a process flow diagram for one implementation illustrating the stages involved in restricting the permission level of an external application being accessed from a client browser. -
FIG. 3 is a process flow diagram for one implementation illustrating the stages involved in performing an intersection on the permission set of the external application and on a user of the client browser to determine a new permission level to use. -
FIG. 4 is a diagrammatic view of three exemplary permission intersections between a user's account permissions and an external application's permissions. -
FIG. 5 is a diagrammatic view of a computer system of one implementation. - The technologies and techniques herein may be described in the general context as an application that restricts the permission level that external applications can use when running in a client browser, but the technologies and techniques also serve other purposes in addition to these. In one implementation, one or more of the techniques described herein can be implemented as features within any other type of program or service that allows external applications to access data on behalf of a user.
- In one implementation, a user account for an original application is assigned to an external application (or to the server hosting the external application, etc.) The term “original application” as used herein is meant to include any type of application that has functionality that needs to be accessed by an external application for use in a client browser. The term “external application” as used herein is meant to include an application that resides on a separate process boundary or server from the original application, such as on a third party server. The term “client browser” as used herein is meant to include a web browser that resides on a device being operated by a user.
- The user account for the original application that is assigned to the external application is marked with a special indicator so that the external application will only be granted permissions to the original application if the user is also separately logged in to the original application. When the user logs in to the original application, a session token is returned back to the client browser. The term “session token” as used herein is meant to include an identifier assigned to the user's current session in the client browser. That session token is provided to the external application by the client browser. That way, when the external application makes requests for data from the original application, the original application will know what user session the application is associated with.
- In one implementation, the system also performs an intersection of permissions between the user's permission level and the external application's permission level to determine a new permission set to use for any operations requested by the external application. The term “performing an intersection” or “performs an intersection” as used herein is meant to include the process of doing an AND operation on the permissions between the two accounts to determine a new permission set. In an “AND” operation, only permissions that are contained in each set of permissions will be included in the new permission set. The term “new permission set” as used herein is meant to include the list of zero or more permissions that result after performing an intersection. Several examples of performing an intersection are shown in
FIG. 4 . -
FIG. 1 is a diagrammatic view of one implementation of asystem 100 for restricting permission levels of external applications.System 100 includes aclient browser 102,original application 104, and anexternal application 106.Original application 104 can be an application such as a content management application or any type of application that has data that is being requested byclient browser 102 and/or the client component ofexternal application 106 that is running withinclient browser 102.External application 106 can be any type of application that resides on a separate application domain or server fromoriginal application 104. For example,external application 106 can be a component that is being displayed inclient browser 102 that needs access to data contained inoriginal application 104 in order to perform its intended functionality. One non-limiting example of anexternal application 106 can include a chart component that gets displayed inclient browser 102 with data fromoriginal application 104 organized in a particular type of chart.External application 106 can be of virtually any type of component that is used withinclient browser 102, but that needs access to data fromoriginal application 104 in order to perform at least part of its desired function. - In one implementation, a user account for the
original application 104 is assigned to theexternal application 106. As a few non-limiting examples, a separate user account for the external application can be assigned to each server that runs the external application, just one for the external application overall, or the user account could be shared by all applications that the server running the external application hosts. Numerous other configurations of assigning one or more user accounts for use by theexternal application 106 could also be used. - The user account for the
original application 104 that is assigned to theexternal application 106 is marked with a special indicator so that theexternal application 106 will only be granted permissions to theoriginal application 104 if the user is also separately logged in to the original application. When the user logs in to theoriginal application 104 fromclient browser 102, a session token is returned back to the client browser. The session token can be in one of a variety of formats, and can include identifiers such as a time identifier, an application identifier, and/or a user identifier. Any data that uniquely identifier this particular session by the user could be included within the session token. - That session token is then provided to the external application by the client browser. When the
client browser 102 makes the request toexternal application 106 to perform some functionality that requires data fromoriginal application 104,client browser 102 provides the session token toexternal application 106. That way, when theexternal application 106 makes requests for data from theoriginal application 104, theoriginal application 104 will know what user session theexternal application 106 is associated with and will only allow the requested operation to be performed if both the user and the external application are logged in and are using the same session token. - In one implementation, before any operation can be performed by the
external application 106 against theoriginal application 104, theoriginal application 104 performs an intersection of permissions between the user's permission level from theclient browser 102 and the external application'spermission level 106 to determine a new permission set to use for any operations requested by the external application, such as those that retrieve data. These concepts will now be described in further detail inFIGS. 2-4 . - Turning now to
FIGS. 2-4 , the stages for implementing one or more implementations ofsystem 100 are described in further detail. In some implementations, the processes ofFIG. 2-4 are at least partially implemented in the operating logic of computing device 500 (ofFIG. 5 ). -
FIG. 2 is a process flow diagram 200 that illustrates one implementation of the stages involved in restricting the permission level of an external application being accessed from a client browser. A request is received from a client browser to login to an original application (stage 202). As noted earlier, a non-limiting example of the original application can include a content management or other application that is being accessed by the user from client browser. The original application then verifies that valid user credentials are specified. A session token is returned to the client browser after validating that access to the original application can be granted to the client browser (stage 204). In one implementation, a session token is only returned to the client browser when there is an external application running in the client browser that will need access to the original application. The session token is provided by the client browser to the external application so the external application can later retrieve the data it needs from the original application. - While the client browser is still logged in to the original application, a request is also received from an external application to login to the original application (stage 206). The external application can be one of a variety of application types, but in general is a component or application that is providing some functionality to the client browser that needs to retrieve at least some of its information from the original application. The original application validates that access to the original application can be granted to the external application (stage 208), such as by confirming that a valid set of user credentials were supplied by the external application. As noted earlier, the original application can look at a special indicator that is associated with the account of the external application to see that the external application can only be allowed to access functionality of the original application if the user is separately logged in to the original application.
- At some point in time after logging in, the external application then sends a request to the original application for the data that it needs to use in the client browser. That request includes the session token that was given to the external application by the client browser. The request for data is received by the original application from the external application (stage 210). The data requested by the external application is retrieved (stage 212). The original application will verify that the session token matches with the token previously supplied to the client browser before retrieving the requested data.
- In another implementation, the original application will perform an intersection on the permissions of the user and the external application to generate a new permission set, and will then use the new permission set to determine what security level to use for the data retrieval operation. This process is described in more detail in
FIG. 3 . If the validation of the session token is successful, then the data is returned to the external application (stage 214). The external application can then further manipulate the data and then display or otherwise use the data in the client browser. -
FIG. 3 is a process flow diagram 300 that illustrates one implementation of the stages involved in performing an intersection on the permission set of the external application and on a user of the client browser to determine a new permission level to use. While the client browser and the external application are both logged in, a request is received from the external application to retrieve data (stage 302). An intersection is performed between the user's permission set associated with the client browser and the external application's permission set to determine the new permission set (stage 304). Some additional examples of how intersections work are shown inFIG. 4 to illustrate the concept more clearly. - The security level associated with the new permission set is then used for the operation that retrieves the data (stage 306). This new permission set that results from the intersection will prevent an elevation of privilege by the user and the external application. In other words, neither the user nor the external application will be able to perform any operation that they are not entitled to perform. The requested data is then returned back to the external application (stage 308). As noted earlier, the external application can then further manipulate the data and display or use it in some fashion with the client browser.
- Turning now to
FIG. 4 , a diagrammatic view of threeexemplary permission intersections 400 between a user's account permissions and an external application's permissions are illustrated. There example scenarios illustrate how an intersection of the user'spermissions 402 with the external application'spermissions 404 can result in the new permission set 406 that is then allowed to be used by the external application when accessing the original application. In the first example 408, the user has fewer permissions than the external application, so the resulting permission set 414 will limit the external application's permissions. In the second example 410, the user has more permissions than the external application, so the resulting permission set 416 will limit the user's permissions for what can be performed by the external application. In the third example 412, there is no intersection of permissions, so the resulting permission set 418 is actually empty. In other words, the external application will not have authority to perform any operations against the original application. - As shown in
FIG. 5 , an exemplary computer system to use for implementing one or more parts of the system includes a computing device, such ascomputing device 500. In its most basic configuration,computing device 500 typically includes at least oneprocessing unit 502 andmemory 504. Depending on the exact configuration and type of computing device,memory 504 may be volatile (such as RAM), non-volatile (such as ROM, flash memory, etc.) or some combination of the two. This most basic configuration is illustrated inFIG. 5 by dashedline 506. - Additionally,
device 500 may also have additional features/functionality. For example,device 500 may also include additional storage (removable and/or non-removable) including, but not limited to, magnetic or optical disks or tape. Such additional storage is illustrated inFIG. 5 byremovable storage 508 andnon-removable storage 510. Computer storage media includes volatile and nonvolatile, removable and non-removable media implemented in any method or technology for storage of information such as computer readable instructions, data structures, program modules or other data.Memory 504,removable storage 508 andnon-removable storage 510 are all examples of computer storage media. Computer storage media includes, but is not limited to, RAM, ROM, EEPROM, flash memory or other memory technology, CD-ROM, digital versatile disks (DVD) or other optical storage, magnetic cassettes, magnetic tape, magnetic disk storage or other magnetic storage devices, or any other medium which can be used to store the desired information and which can accessed bydevice 500. Any such computer storage media may be part ofdevice 500. -
Computing device 500 includes one ormore communication connections 514 that allowcomputing device 500 to communicate with other computers/applications 515.Device 500 may also have input device(s) 512 such as keyboard, mouse, pen, voice input device, touch input device, etc. Output device(s) 511 such as a display, speakers, printer, etc. may also be included. These devices are well known in the art and need not be discussed at length here. - Although the subject matter has been described in language specific to structural features and/or methodological acts, it is to be understood that the subject matter defined in the appended claims is not necessarily limited to the specific features or acts described above. Rather, the specific features and acts described above are disclosed as example forms of implementing the claims. All equivalents, changes, and modifications that come within the spirit of the implementations as described herein and/or by the following claims are desired to be protected.
- For example, a person of ordinary skill in the computer software art will recognize that the examples discussed herein could be organized differently on one or more computers to include fewer or additional options or features than as portrayed in the examples.
Claims (20)
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US12/358,268 US20100192193A1 (en) | 2009-01-23 | 2009-01-23 | Security restriction techniques for browser-based applications |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US12/358,268 US20100192193A1 (en) | 2009-01-23 | 2009-01-23 | Security restriction techniques for browser-based applications |
Publications (1)
Publication Number | Publication Date |
---|---|
US20100192193A1 true US20100192193A1 (en) | 2010-07-29 |
Family
ID=42355248
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US12/358,268 Abandoned US20100192193A1 (en) | 2009-01-23 | 2009-01-23 | Security restriction techniques for browser-based applications |
Country Status (1)
Country | Link |
---|---|
US (1) | US20100192193A1 (en) |
Cited By (8)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20100170477A1 (en) * | 2008-01-19 | 2010-07-08 | Enio Biasci | Coupling Device |
US20130339160A1 (en) * | 2012-05-31 | 2013-12-19 | AppNexus Inc. | Application marketplace for online advertising applications |
EP3001293A4 (en) * | 2013-12-30 | 2016-08-31 | Huawei Device Co Ltd | Method and device for rights management |
US20160359861A1 (en) * | 2015-06-04 | 2016-12-08 | Sap Se | Accessing an application through application clients and web browsers |
US20180232779A1 (en) * | 2014-12-19 | 2018-08-16 | AdvisorDeck, LLC | Multi-tenant publishing system |
US10270759B1 (en) * | 2017-06-21 | 2019-04-23 | Mesosphere, Inc. | Fine grained container security |
US11288711B1 (en) * | 2014-04-29 | 2022-03-29 | Groupon, Inc. | Collaborative editing service |
US11568442B1 (en) | 2013-12-11 | 2023-01-31 | Groupon, Inc. | Unlocking editorial content |
Citations (10)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US5689708A (en) * | 1995-03-31 | 1997-11-18 | Showcase Corporation | Client/server computer systems having control of client-based application programs, and application-program control means therefor |
US6044466A (en) * | 1997-11-25 | 2000-03-28 | International Business Machines Corp. | Flexible and dynamic derivation of permissions |
US6339826B2 (en) * | 1998-05-05 | 2002-01-15 | International Business Machines Corp. | Client-server system for maintaining a user desktop consistent with server application user access permissions |
US20020138728A1 (en) * | 2000-03-07 | 2002-09-26 | Alex Parfenov | Method and system for unified login and authentication |
US20030079136A1 (en) * | 2001-08-21 | 2003-04-24 | Emmanuel Ericta | Security framework |
US20050125678A1 (en) * | 2001-11-14 | 2005-06-09 | Janssen Scope Llc | Systems and methods for configuring digital storage media with multiple access privileges |
US20050132220A1 (en) * | 2003-12-10 | 2005-06-16 | International Business Machines Corporation | Fine-grained authorization by authorization table associated with a resource |
US7392546B2 (en) * | 2001-06-11 | 2008-06-24 | Bea Systems, Inc. | System and method for server security and entitlement processing |
US20090222925A1 (en) * | 2008-03-02 | 2009-09-03 | Yahoo! Inc. | Secure browser-based applications |
US20090254978A1 (en) * | 2008-04-02 | 2009-10-08 | Microsoft Corporation | Delegated authentication for web services |
-
2009
- 2009-01-23 US US12/358,268 patent/US20100192193A1/en not_active Abandoned
Patent Citations (10)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US5689708A (en) * | 1995-03-31 | 1997-11-18 | Showcase Corporation | Client/server computer systems having control of client-based application programs, and application-program control means therefor |
US6044466A (en) * | 1997-11-25 | 2000-03-28 | International Business Machines Corp. | Flexible and dynamic derivation of permissions |
US6339826B2 (en) * | 1998-05-05 | 2002-01-15 | International Business Machines Corp. | Client-server system for maintaining a user desktop consistent with server application user access permissions |
US20020138728A1 (en) * | 2000-03-07 | 2002-09-26 | Alex Parfenov | Method and system for unified login and authentication |
US7392546B2 (en) * | 2001-06-11 | 2008-06-24 | Bea Systems, Inc. | System and method for server security and entitlement processing |
US20030079136A1 (en) * | 2001-08-21 | 2003-04-24 | Emmanuel Ericta | Security framework |
US20050125678A1 (en) * | 2001-11-14 | 2005-06-09 | Janssen Scope Llc | Systems and methods for configuring digital storage media with multiple access privileges |
US20050132220A1 (en) * | 2003-12-10 | 2005-06-16 | International Business Machines Corporation | Fine-grained authorization by authorization table associated with a resource |
US20090222925A1 (en) * | 2008-03-02 | 2009-09-03 | Yahoo! Inc. | Secure browser-based applications |
US20090254978A1 (en) * | 2008-04-02 | 2009-10-08 | Microsoft Corporation | Delegated authentication for web services |
Cited By (10)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20100170477A1 (en) * | 2008-01-19 | 2010-07-08 | Enio Biasci | Coupling Device |
US20130339160A1 (en) * | 2012-05-31 | 2013-12-19 | AppNexus Inc. | Application marketplace for online advertising applications |
US11568442B1 (en) | 2013-12-11 | 2023-01-31 | Groupon, Inc. | Unlocking editorial content |
EP3001293A4 (en) * | 2013-12-30 | 2016-08-31 | Huawei Device Co Ltd | Method and device for rights management |
US11288711B1 (en) * | 2014-04-29 | 2022-03-29 | Groupon, Inc. | Collaborative editing service |
US11720932B2 (en) | 2014-04-29 | 2023-08-08 | Groupon, Inc. | Collaborative editing service |
US20180232779A1 (en) * | 2014-12-19 | 2018-08-16 | AdvisorDeck, LLC | Multi-tenant publishing system |
US20160359861A1 (en) * | 2015-06-04 | 2016-12-08 | Sap Se | Accessing an application through application clients and web browsers |
US10484385B2 (en) * | 2015-06-04 | 2019-11-19 | Sap Se | Accessing an application through application clients and web browsers |
US10270759B1 (en) * | 2017-06-21 | 2019-04-23 | Mesosphere, Inc. | Fine grained container security |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US10331497B2 (en) | Software bot conflict-resolution service agent | |
US20100192193A1 (en) | Security restriction techniques for browser-based applications | |
US9418219B2 (en) | Inter-process message security | |
US9891810B2 (en) | Collaboration for network-shared documents | |
US8539599B2 (en) | Password protection using personal information | |
US10567485B2 (en) | Techniques for coordinating the sharing of content among applications | |
US10715458B1 (en) | Organization level identity management | |
JP6981824B2 (en) | Common authentication management service | |
US11392682B2 (en) | Image based passphrase for authentication | |
US11750612B2 (en) | Client-server security enhancement using information accessed from access tokens | |
US20070061432A1 (en) | System and/or method relating to managing a network | |
CN112805708A (en) | Securing selected disks on a computer system | |
CN112805700A (en) | Controlling installation of unauthorized drivers on a computer system | |
CN111712819A (en) | Merging identities | |
US9154308B2 (en) | Revocable platform identifiers | |
CN107886008B (en) | File management method, system, device and computer readable storage medium | |
US20170171209A1 (en) | Credential management system | |
US20170054729A1 (en) | Identity Management System | |
US11586760B2 (en) | System and method for associating multiple logins to a single record in a database | |
US10122533B1 (en) | Configuration updates for access-restricted hosts | |
CN110717153B (en) | Authority verification method and device | |
US11057453B2 (en) | Locking of client session using event listener | |
US20230139759A1 (en) | Data swap prevention in distributed computing environments | |
CN116340970A (en) | Service system login method, device, electronic equipment and readable storage medium |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
AS | Assignment |
Owner name: MICROSOFT CORPORATION, WASHINGTON Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNORS:OLSON, ELISABETH KATARINA;ZHU, SHAOFENG;GOLDEN, JOSEPH MAXWELL;AND OTHERS;SIGNING DATES FROM 20090120 TO 20090121;REEL/FRAME:023126/0980 |
|
STCB | Information on status: application discontinuation |
Free format text: ABANDONED -- FAILURE TO RESPOND TO AN OFFICE ACTION |
|
AS | Assignment |
Owner name: MICROSOFT TECHNOLOGY LICENSING, LLC, WASHINGTON Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNOR:MICROSOFT CORPORATION;REEL/FRAME:034766/0509 Effective date: 20141014 |